ROBERT GORDON UNIVERSITY

ABERDEEN BUSINESS SCHOOL

DEPARTMENT OF INFORMATION MANAGEMENT

Information Governance
Policy: NHS South Midlands
Recommendations from the NHS Information
Governance Working Party

PRIVACY OF PERSONAL DATA

1
IMPORTANT NOTE
The following report has been produced in response to a review of
all major policy documents inherited from the NHS South Midlands
merger.
This report aims to provide an appraisal of the Information
Governance issues important to the NHS South Midlands in order
to help guide the successful adoption of new policy measures,
following the failures of the existing Information Governance
policy, highlighted by a critical report by the Healthcare
Commission in 2008. The eight principle areas addressed in the
report include:

Privacy of personal data.

Patient confidentiality and access to health records.

Information security.

Legitimate disclosure issues.

Information and media disposal.

Audit requirements, monitoring and quality enhancement.

Staff awareness and training on regulations and compliance.

Research ethics and information governance (pertaining to the

Medical School).

It is a group report which all the above areas. Since I do not have
the consent of the rest members of the group I cannot upload the
full report. I can only upload the part of the report which I have
produced.

2
TABLE OF CONTENTS

2.1 Introduction …………………………………………………………………………………..4

2.1.1 Leakage of Personal Data - Case Studies …………………………………4
2.2 Definitions – Rights ……………………………………………………………………….5
2.2.1 Data Subject ……………………………………………………………………………….5
2.3 Personal Data ………………………………………………………………………………..6
2.4 Personal Sensitive Data …………………………………………………………………7
2.5 Data Controller……………………………………………………………………………….8
2.6 Data Processor ………………………………………………………………………………9
2.7 Patient Privacy and Patient - Doctor Confidentiality …………………..10
2.8 Centralisation of medical records and medical records (privacy)…11
2.9 Genetic privacy ……………………………………………………………………………..12
2.10 Privacy and data protection related to the NHS South Midlands‟
website.………………………………………………………………………………………………..13
2.10.1 Privacy statement …………………………………………………………………..13
2.11 Information collection …………………………………………………………………14
2.12 Collection and use of technical information……………………………. ..15
2.12.1 Cookies …………………………………………………………………………………….15
2.12.2 Log files …………………………………………………………………………………..15
2.13 Notification………………………………………………………………………………... 16
2.14 References……………………………………………………………………….

3
2.1 Introduction

In the recent years, especially for the National Health Services, the issue
regarding the privacy of personal data is more imperative than never.
Massive information can be stored in small devices and the patients’
personal data could be exposed to unwanted individuals or organizations.
Therefore, the Data Protection Act and the people who work for the NHS
should ensure that the patients’ personal data will remain within the NHS.

2.1.1 Leakage of personal data- Case studies

Regarding the loss of personal data from the NHS:

“Between January and April this years the Information Commissioner’s
Office reported 140 security breaches in the NHS, which was more than
the total number inside central government (53 breaches) and all local
authorities (60 breaches) combined. Some 58 breaches in security
involved stolen data or hardware and 43 involved lost data or hardware”
.(Gulland 2009)
Additionally, it should be mentioned that:
“Between November 2008 and April the Information Commissioner had to
take action against 14 NHS organizations for data breaches. In one case
Cambridge University Hospital NHS Foundation Trust reported the loss of
an unencrypted memory stick, containing the details of 741 patients, after
a member of staff left it in a car.” (Gulland 2009).

These incidents are only indicative. However the NHS South Midlands has
been getting all the necessary technological, ethical precautions in order
to ensure that the patients’ personal data will remain within the
organization.

4
2.2. Definitions-rights
2.2.1 Data subject

For the NHS South Midlands there is a clear definition on what a data
subject is. According to the Data Protection Act (DPA), quoted by the
Information Commissioner’s Office – ICO- (2009 p.26) :
“Data subject means an individual who is the subject of the personal data.
The data subject is the individual whom particular personal data is about.
The Act does not count as a data subject an individual who has died or
who cannot be identified or distinguished from others.”
It is of vital importance for the NHS South Midlands to remind that the
rights of the data subject are fully respected according to Pedley (2003
p.65-66):

1. “Right of access to personal data which means that the individuals

have a right to know the identity of the data controller, the
purposes for which their data will be used.
2. Right to prevent processing that is causing, or likely cause,
unwarranted and substantial damage or distress to the individual,
or to anyone else.
3. Right to prevent processing for the purposes of direct marketing
4. Right to be given an explanation as to how many automated
decisions taken about you have been made.
5. Compensation –data subjects are entitled to claim compensation
through the courts if damage has been caused as result of a data
controller not meeting any requirements of the DPA and in
particular if they have broken any requirements of the DPA.
6. Right to correction, blocking, erasure, or destruction of inaccurate
data.
7. Right to request an assessment by the Information Commissioner’s
Office of the legality of processing that is occurring.”

5
2.3 Personal data

Personal data means data which relate to a living individual who can be
identified:
i. “from those data
ii. or, from those data and other information which is in the
possession of, or it is likely to come into the possession of, the
data controller and includes any expression of opinion about the
individual and any indication of the intentions of the data
controller or any other person in respect of the individual”
(Great Britain. Information Commissioner’s Office 2009 p.22)
It is essential to mentioned, regarding personal data, that the DPA is
governed by eight fundamental principles, which should be respected by
the South Midlands:

1. “Personal data should be processed fairly and lawfully

2. Data must only be obtained for a specific purpose
3. Personal data shall be adequate, relevant and not excessive in
relation to the purpose for which it is processed.
4. Personal data shall be accurate and where necessary kept up to
date
5. Personal data should not be kept for longer that is necessary
6. Personal data shall be processed in accordance with the rights of
data subjects under the DPA.
7. Appropriate technical and organizational measures should be used
to protect against unauthorized or unlawful processing of personal
data and against accidental loss or destruction of, or damage to,
personal data.
8. Personal data shall not be transferred to a country or territory
outside the European Economic Area (EEA) unless that country or
territory ensures an adequate level of protection for the rights and
freedom of data” (Pedley 2003)

6
2.4 Personal sensitive data

It is important for the NHS South Midlands to elucidate that apart from
personal data, there is also the term “personal sensitive data”. According
to the DPA, quoted by the Information Commissioner’s Office (2009,
p.23), sensitive personal data means personal data consisting of
information as to-
• “The racial or ethnic origin of the data subject
• His/her political opinions
• His/her religious beliefs of a similar nature
• Whether he is a member of a trade union (within the meaning of
Trade Union and Labor Relations (Consolidation act 1998)
• His/her physical or mental health or condition
• His/her sexual life
• The commission or alleged commission by himself of any offense, or
• Any proceedings for any offense committed or alleged to have been
committed by him/her, the disposal of such proceedings or the
sentence of any court in such proceedings.”

Based on the aforementioned the NHS South Midlands should have as its
top priority to secure and maintain these principles that govern the notion
of “sensitive personal data”.

7
2.5 Data controller

Within the confines of NHS South Midlands, the presence of the data
controller should be vital for ensuring the privacy of data.
“The data controller is the person who (either alone or jointly or in
common with other persons) determined the purposes for which and the
manner in which any personal data are, or are to be, processed” ( Great
Britain. Information Commissioner’s Office 2009 p.26)

8
2.6 Data processor

For the NHS South Midlands in strong connection with the data controller
should be the data processor.
“Data processor is the person (other than an employee of the data
controller) who processes the data on behalf of the data controller” (Great
Britain. Information Commissioner’s Office 2009 p.27).
The conditions which should be met must be followed explicitly by the
data processor, whenever personal data are being processed. These
conditions are:
• “The individual who the personal data is about has consented to the
processing
• The processing is necessary
-in relation to a contract which the individual has entered onto
-because the individual has asked for something to be done so they
can enter into a contract
• The processing is necessary to protect the individual’s “vital
interests”. This condition only applies in cases of life and death,
such as where an individual’s medical history is disclosed hospital’s
A+E department treating them after a serious road accident.
• The process is necessary for administering justice, or for exerting
statutory, governmental or other public functions.
• The processing is in accordance with the “legitimate interests”
condition” (Great Britain. Information Commissioner Office 2009
p.110)

9
2.7 Patient privacy and patient-
doctor confidentiality

A crucial field for any NHS organization is privacy. Not only privacy of
personal data but also patient privacy. It should be taken under serious
consideration that the patient privacy is of essence. The case in point, the
NHS South Midlands should have as its duty “to treat to the patient with
respect and autonomy protecting your personal data and your physical
person from privacy invasion”. (YourPrivacy 2010)
The NHS has a duty to ensure to the patient: single-sex accommodation,
privacy on the ward, and to protect the patient dignity.

The fundamental right to privacy is guaranteed by each constitution. It

protects –the constitution- against invasions of privacy by government,
private entities or arms thereof. The doctor-patient relationship is one
which evokes constitutional rights of privacy (Encyclopedia of Everyday
Law 2010).
[For more details please refer to the chapter Patient Confidentiality and
Access to Health Records]

10
2.8 Centralization of medical records
and medical records (privacy)

The NHS South Midlands plans, as well as the other NHS organizations,
within the confines of patient’s privacy to centralize all patient records.
“This involves the gradual transfer of every medical record to an electronic
database, which will be accessible to healthcare professionals all over the
country “(YourPrivacy 2010).
“Patients have a right to see all records held on them. However medical
professionals are entitled to withhold your medical records under certain
conditions “(YourPrivacy 2010)
[For more details please go the chapter Patient Confidentiality and Access
to Health Records]

11
2.9 Genetic privacy

Regarding genetic privacy the NHS South Midlands respects the genetic
privacy of its own patients.
The Department of Health (2010) :
“Takes a firm stance on patient privacy. Medical professionals will always
put the patient first, respecting their right to privacy. If you wish to keep
your condition secret from family members, you have every right to do so.
If you do not want your medical information used for healthcare research,
or even passed on to other professionals, your wishes will be respected.
According to the Department of Health there are some exceptions that the
disclosure of medical information is acceptable, legal whether the patient
is dead or alive, under the condition that it meets the requirements of the
DPA”.

Disclosure is permitted when:

• “There are reasonable ground (to protect the patient, their family,
or community)
• If it is considered democratically necessary (particularly where i
might affect others)
• It is proportionate to the need” (YourPrivacy 2010)

Regarding Insurers and Employers, the NHS South Midlands should be

fully complied to the DPA. Therefore, for the NHS South Midlands:

“Your employer has a right to ask for genetic information, but the DPA
insists that she/he has a reason for doing so. Any medical information,
including hereditary and long –term conditions must be stored in a
separate place and not made available. Insurers too, will ask intimate
questions about your medical history. They are bound by the same rules
and must not used your information except for research purposes (to
improve their own services)”. (Your Privacy 2010)

12
2.10 Privacy and data protection
related to the NHS South Midlands’
website

2.10.1 Privacy statement

The NHS South Midlands should be committed to preserving the privacy of

all UK visitors to this website, according to the National Information
Governance for Health and Social Care (NIGB 2010).
“By using this website you consent to the collection use and transfer of
the information that you provide to us in accordance with the terms of this
policy. We reserve the rights to change the contents of this website,
including this privacy policy at any time, by posting such changes on the
website. It is your responsibility to familiarize yourself with this policy
regularly to ensure that you are aware of any changes. Your continued
use of this website following the posting of any such changes will
constitute your acceptance of the revised privacy policy. If you do not
accept this privacy policy you may not use this website.” (Great Britain.
National Information Governance for Health and Social Care 2010)

13
2.11 Information collection

The NHS South Midlands should clearly state that:

“If you register with the website, or if you fill in a form on the website,
you may be asked to provide information about yourself (including your
name and contact details). We may also collect information about your
usage of this website as you and others browse and use our website, as
well as information about you from messages you post to the website and
emails or letters you send to us” (Great Britain. National Information
Governance for Health and Social Care 2010)

14
2.12 Collection and use of technical
information

2.12.1 Cookies

“Cookie is a data file written to your hard drive by a web server that
identifies you to a site and it helps a website “remember” who you are
and set preferences accordingly when you return” (PC World 2000).

2.12.2 Log files

Regarding the log files the NHS South Midlands should ensure that:
“Every time the website is accessed an entry is made in the web server’s
log file. This tells us broadly where an access is coming from, when it was
made, which file was requested and whether the request was successful
or not. It usually does not allow us to identify individual users. The data is
used to assess usage levels and spot technical problems (such as broken
pages or web server errors or hack attempts).” (Great Britain. National
Health Service Institute for Innovation and Improvement 2010)

15
2.13 Notification

In case that the data subject wishes to have access his/her personal data
then the NHS South Midlands should comply. According to the DPA,
quoted by Pedley (2003 p.61):

The DPA says that those who record and use personal information must
notify the ICO that they process personal data. A register of data
controllers is available on the website: www.dpr.gov.uk . Each entry
consists of:
• “The data controller’s name and address
• A description of the personal data being processed
• The categories of data subject to which they relate
• Data classes such as employment details
• A description of the purpose(s) for which data is or may be
processed
• A description of recipient(s) to whom the data will be disclosed
• The name of countries or territories outside the EEA (European
Economic Area) to which the data is or might be transferred either
directly or indirectly by the data controller. Those who process
personal data must provide access to the data that they hold on a
person in order that the data subject can check and correct their
records and prevent certain types of processing.”

16
REFERENCES/BIBLIOGRAPHY

ENOTES, 2010. Doctor- Patient confidentiality. [online]. Seattle, WA:

Enotes . Available from: http://www.enotes.com/everyday-law-
encyclopedia/doctor-patient-confidentiality [Accessed 27 Feburary
20010]

GREAT BRITAIN. INFORMATION COMMISSIONER’S OFFICE, 2010.

Guide to Data protection. Cheshire: Information Commissioner’s Office

GREAT BRITAIN. NATIONAL HEALTH SERVICE INSTITUTE FOR

INNOVATION AND IMPROVEMENT. Privacy [online]. Warwick:
University of Warwick. Available from:
http://www.institute.nhs.uk/organisation/about_nhsi/about_the_nhs_i
nstitute.html [Accessed 1 March 2010]

INFORMATION GOVERNACE BOARD FOR HEALTH AND SOCIAL CARE,

2010. Privacy statement for information governance board for health
and social care. London: Information Governance Board for Health and
Social Care.

PEDLEY, P., 2003. Essential law for information professionals. London:

Facet.

YOURPRIVACY, 2010.Expert advice to safeguard your privacy. [online].

United Kingdom: Available from:http://www.yourprivacy.co.uk
[Accessed 11 March 2010

17
18